Our hosting platform (running IIS6/ASP.NET 2.0) is configured to run under partial trust. In the machine wide web.config
file we set the ASP.NET trust level to Medium
(and lock to prevent overrides) and use a modified policy file.
When trying to add a custom HttpHandler
to handle .aspx
requests for a website running in this configuration I get the following security exception:
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: Request failed.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: Request failed.]
System.Reflection.Assembly._GetType(String name, Boolean throwOnError, Boolean ignoreCase) +0
System.Reflection.Assembly.GetType(String name, Boolean throwOnError, Boolean ignoreCase) +42
System.Web.Compilation.CompilationUtil.GetTypeFromAssemblies(AssemblyCollection assembliesCollection, String typeName, Boolean ignoreCase) +172
System.Web.Compilation.BuildManager.GetType(String typeName, Boolean throwOnError, Boolean ignoreCase) +291
System.Web.Configuration.ConfigUtil.GetType(String typeName, String propertyName, ConfigurationElement configElement, XmlNode node, Boolean checkAptcaBit, Boolean ignoreCase) +52
I'm using a class derived from PageHandlerFactory
, for example:
public class MyPageHandlerFactory : PageHandlerFactory
{
public override System.Web.IHttpHandler
GetHandler(System.Web.HttpContext context,
string requestType,
string virtualPath,
string path)
{
// CustomPageHandler derives from System.Web.UI.Page
return new CustomPageHandler();
}
}
My web.config
httpHandler
configuration is as follow:
<httpHandlers>
<add verb="*" path="*.aspx" type="MyPageHandler.MyPageHandlerFactory" />
</httpHandlers>
The documentation for PageHandlerFactory
shows that PageHandlerFactory
is decorated with the following attributes:
[PermissionSetAttribute(SecurityAction.LinkDemand, Unrestricted = true)]
[PermissionSetAttribute(SecurityAction.InheritanceDemand, Unrestricted = true)]
public class PageHandlerFactory : IHttpHandlerFactory
Does this mean that I need to set ASP.NET to run at Full Trust
to be able to create my own PageHandlerFactory
classes?